Rethinking MFA

Rethinking MFA

We all dream of a world where we can trust everyone who accesses our corporate resources – but the reality is different. Adversaries are constantly trying to breach our systems and access our sensitive data, using our vulnerable authentication mechanisms against us.

The problems of password authentication have been known for decades. The introduction of multi-factor authentication was the first major step towards strengthening authentication. Today, MFA is used by almost all enterprises at some capacity, yet it is still used for protecting only a small portion of our sensitive assets. This must make you wonder – if the problem is well known and the solution is available, why aren’t we using MFA to protect all systems? Why do we still rely on passwords so much? This is especially alarming considering that the use of compromised passwords in data breaches is growing from year to year instead of shrinking.

Realizing this drove me, together with my co-founders Matan Fattal and Yaron Kassner, to start Silverfort. We met during our years at the Israeli cyber intelligence unit 8200, where we served in cybersecurity research, team leadership and group leadership roles, and got the opportunity to lead innovative research projects and the development of cutting-edge technologies. Each of us later worked for industry leading companies, until three years ago we joined forces again to establish Silverfort.

Being innovators in the authentication space, we always thought that MFA will never be truly effective as long as it remains a point solution for protecting individual assets. Our approach is fundamentally different. For the first time, MFA will be designed to easily and seamlessly protect any organizational resource, no matter what it is, or where it is.

Who moved my perimeter?

Like many other security frameworks, MFA was designed under the perception of the perimeter – the clear border separating the “trusted” corporate network from the “untrusted” external network. In this simple reality, it was enough to enforce MFA at the “door” – the VPN Gateway, and maybe for a few remote resources. MFA solutions were therefore built to protect a specific point of access, and while their user-experience evolved over the years, this basic assumption did not.

In recent years, network perimeters are gradually dissolving. IT revolutions such as cloud, IoT and BYOD are just some of the reasons why the physical boundaries of the corporate network are becoming irrelevant. This new era is challenging traditional security frameworks – where do I put my gatekeeper if there’s no clear gate? Where do I enforce MFA in a dynamic, hybrid environment where countless different devices and services are connecting to one another? That is why one infected endpoint is enough to take over an entire network using credential theft and lateral movement, as demonstrated in the 2017 NotPetya attack and many others.

Integrating MFA system by system – a lost battle

To better address the changing needs of their customers, MFA vendors have begun offering a long list of integrations, software agents, SDKs, proxies and other tools that enable MFA for more systems. Yet deploying them has become an endless task for security teams. With each solution offering integrations with specific systems, organizations are often forced to maintain several MFA solutions in order to protect their critical assets. This results in high costs, on-going investment of professional resources, and inconsistent user experience. It also limits the potential of risk-based adaptive authentication, because each MFA solution monitors only a portion of the network assets (for example only web applications), without any consolidated risk analysis that takes into account user behavior across all systems and environments.

More importantly, many types of sensitive resources cannot be protected by current MFA solutions, for multiple reasons:

In many cases, deploying software agents or making local modifications to certain systems isn’t feasible technically. This is the case with many proprietary and legacy systems, file shares (that are now targeted by ransomware), IoT devices and more.

For many critical assets and 3rd party systems, technical modifications are refused by resource owners or prohibited by the manufacturers. This is common with production-critical servers and industrial control systems (ICS).

In many organizations, the amount of assets and the dynamic nature of the environment make asset-by-asset integration impossible, such as in large enterprise networks and complex IaaS environments where countless different VM instances are being created or moved between environments on a daily basis, or in cases where business units are implementing systems that the IT has no idea about – a phenomenon called “shadow IT”.

Rethinking MFA

Looking at the challenges and limitations of traditional MFA solutions, it seems like the attempt to “stretch” traditional MFA solutions to fit today’s reality has reached its limits, and attackers are taking advantage of it. It’s time to go back to the drawing board and design a new breed of MFA solutions. We need to look at the network as a whole instead of integrating MFA into each individual asset. We need a way to seamlessly deliver strong authentication to systems that are currently considered “unprotectable” or that the IT department doesn’t even know about. We need a way to enable unified authentication policies, visibility, user experience and risk analysis across all systems and environments.

By changing the way MFA is designed and implemented, Silverfort has opened a new chapter in enterprise authentication, enhancing the ability to trust users, manage secure access across all corporate systems and environments, respond to threats with real-time step-up authentication and enforce true risk-aware adaptive authentication that is not limited to specific systems.

Three years into this journey, the Silverfort Next Generation Authentication Platform is now used by organizations all over the world to achieve exactly that. We help financial institutions enable MFA for their SWIFT servers, legacy financial applications and various servers where MFA is required by PCI DSS, SWIFT CSP, GDPR or the NY-DFS cybersecurity regulations. We help healthcare organizations enforce risk-based authentication across medical IoT devices, PACS servers and sensitive health records (EHRs). We help energy and manufacturing companies apply MFA not only in their IT environment, but also across their OT networks. We help organizations in all industries deliver holistic authentication policies, unified visibility and frictionless user experience across all systems and environments.

Along the way we earned the support of great investors, leading partners, industry experts and most importantly – happy customers. But this is only the beginning – now it’s time to spread the word and reshape the authentication market.